With the government promoting a cashless economy and various digital payment systems being given a boost, a framework for security of various Prepaid Payment Instruments (PPIs) operating in the country is also required. Therefore, in a bid to make transactions through e-wallets safer and strengthen the grievance redressal mechanism for consumers, the Ministry of Electronics […]

The government has also invited public comments on the draft rules latest by 20th March 2017. (Reuters)

With the government promoting a cashless economy and various digital payment systems being given a boost, a framework for security of various Prepaid Payment Instruments (PPIs) operating in the country is also required. Therefore, in a bid to make transactions through e-wallets safer and strengthen the grievance redressal mechanism for consumers, the Ministry of Electronics and Information Technology (MeitY) has formulated draft rules for security of prepaid payment instruments under provisions of the Information Technology Act 2000.

The government has also invited public comments on the draft rules latest by 20th March 2017. Here are the key rules for e-wallet firms:

1. Short title and commencement – (1) These rules may be called the Information Technology (Security of Prepaid Payment Instruments) Rules, 2017. (2) They shall come into force on the date of their publication in the Official Gazette.

2. Information security policy
Every e-PPI (electronic pre-paid payment instrument) issuer shall develop an information security policy for security of the payment systems operated by it, in accordance with these rules and any standards specified by the Central Government for this purpose under Rule 17.

3. Privacy policy – (1) Every e-PPI issuer shall have in place and publish on its website and mobile applications the privacy policy and the terms and conditions for use of the payment systems operated by it in simple language, capable of being understood by a reasonable person.
(2) The privacy policy shall include the following details, namely:—
(a) the information collected directly from the customer and information collected otherwise;
(b) uses of the information;
(c) period of retention of information;
(d) purposes for which information can be disclosed and the recipients;
(e) sharing of information with law enforcement agencies;
(f) security practices and procedures;
(g) name and contact details of the Grievance Redressal officer along with mechanism for grievance redressal;
(h) any other details as may be specified by the Central Government for this purpose.

4. Risk assessment and risk control — (1) Every e-PPI issuer shall carry out risk assessment to identify and assess the risks associated with the security of the payment systems operated by it.
(2) Every e-PPI issuer shall review the security measures at least once a year, and after any major security incident or breach or before a major change to its infrastructure or procedures.
(3) Every e-PPI issuer shall implement security measures in accordance with the information security policy to mitigate the identified risks.

5. Customer identification and authentication —(1) Every e-PPI issuer shall ensure that customers are identified through adequate due diligence procedures at the time of issuance of a pre-paid payment instrument, in accordance with applicable guidelines issued by the Reserve Bank of India.

(3) The e-PPI issuer shall adopt multiple factor authentication where a customer initiates a payment against the value stored on the pre-paid payment instrument.

(4) The Central Government may, by notification, exempt e-PPI issuers from the requirement of multiple factor authentication in specified cases depending on the amount, nature of transaction, risk involved and like factors.

(5) The procedure for authentication shall include mechanisms to:
(a) protect the confidentiality of authentication data;
(b) limit the maximum time allowed to the customer to access his payment account online;
(c) specify the maximum number of failed authentication attempts that can take place consecutively within a given period of time and after which the access to an online payment account or the initiation of a payment is temporarily blocked;
(d) protect communication sessions against capture of data transmitted during the authentication procedure or manipulation of unauthorised parties; and
(e) prevent, detect and block fraudulent payments before the e-PPI issuer’s final authorisation.

6. Traceability
Every e-PPI issuer shall have adequate processes in place to ensure that all interactions with customers or other service providers in relation to accessing payment accounts or initiating payments can be appropriately traced.

7. Personal information
The following information shall be deemed to be personal information for the purpose of Section 72A of the Act—

(a) information collected from the customer or elsewhere at the time of issuance of the pre-paid payment instrument, including name, address, telephone number of the customer;

(b) information collected during use of the payment system operated by the Issuer;

(e) any other information as may be notified by the Central Government.

8. Security of personal information —(1) Every e-PPI issuer shall adopt security measures to protect the security, confidentiality and integrity of the personal information referred to in Rule 7.

(2) Every e-PPI issuer shall contractually require merchants handling any authentication data to have security measures in place to protect such data.

(3) Every e-PPI issuer shall ensure that delivery of any software or initial authentication-related information, such as passwords or PINs, shall be carried out in a secure manner.

9. Access to personal information — (1) The information referred to in Rule 7 shall not be disclosed to any person without the consent of the customer to whom it relates.

(2) Access to confidential information by the employees of the e-PPI issuer shall be on a “need-to-know” and “need-to-use” basis. The process of maintaining confidentiality of information shall be included in the information security policy.

10. Reasonable security practices to be applicable
The financial data of the customer shall be deemed to be sensitive personal data or information for the purposes of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and every e-PPI issuer shall maintain and implement the practices and procedures prescribed in those rules.

(2) The e-PPI issuer shall publish on its website and its mobile application the name and contact details of the Grievance Officer, and procedure by which customers or any other person who suffers as a result of violation of these rules can make complaints to the
Grievance Officer.

(3) The Grievance Officer shall act within 36 hours and shall resolve the complaint within one month from the date of receipt of such complaint.